I was able to achieve the goal by setting up the broker in such a way:
1) Edit identity provider: NameID Policy Format, select 'unspecified'
2) Edit every client representing Service Provider application, select
'Name id format': username
I wonder whether this approach is fine, especailly if we use not keycloak
as a 3'd party provider. Is it something generic for SAML2.0 or very
specific for keycloak?
According to doc
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-...
The supported formats for nameid are
-
Email address
-
X.509 subject name
-
Windows domain qualified name
-
Kerberos principal name
-
Entity identifier
-
Persistent identifier
-
Transient identifier
Is username something additional?
On Tue, Jun 26, 2018 at 1:16 PM Leonid Rozenblyum <lrozenblyum(a)gmail.com>
wrote:
Hello!
We're using 2 keycloak instances.
SP -> Keycloak (broker) -> Keycloak (Identity provider)
How can we configure the broker to create user names equal to the original
username from keycloak (Idp)? Now the new users inside the broker receive a
G-.... (long meaningless string)
username during the first log-in.
So if user logs in through Idp with login: 'hello' we would like user
'hello' be created in the broker
Thank you for advice.